From 414a06df330b557e49bbb91eec2e1fbc347017ab Mon Sep 17 00:00:00 2001 From: Mahesh Lanka Date: Wed, 12 Oct 2016 14:27:21 +0530 Subject: mm-video-v4l2: vdec: Disallow input usebuffer for secure case In secure mode, input buffer _must_ be allocated by the component to allocate a secure buffer. Client-supplied memory via usebuffer does not qualify as secure-memory and must be rejected. This also avoids accidental heap-overflow while copying bitstream from user-memory to a smaller-sized secure-payload (usually the buffer-header itself) Bug : 30148882 Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11) Change-Id: Ic252f6062af65cc4adea62c0d68d0096e95d2a99 --- mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp index 945aef1..feba71f 100644 --- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp +++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp @@ -4562,6 +4562,12 @@ OMX_ERRORTYPE omx_vdec::use_input_heap_buffers( { DEBUG_PRINT_LOW("Inside %s, %p", __FUNCTION__, buffer); OMX_ERRORTYPE eRet = OMX_ErrorNone; + + if (secure_mode) { + DEBUG_PRINT_ERROR("use_input_heap_buffers is not allowed in secure mode"); + return OMX_ErrorUndefined; + } + if (!m_inp_heap_ptr) m_inp_heap_ptr = (OMX_BUFFERHEADERTYPE*) calloc( (sizeof(OMX_BUFFERHEADERTYPE)), @@ -5819,7 +5825,7 @@ OMX_ERRORTYPE omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE hComp, /*for use buffer we need to memcpy the data*/ temp_buffer->buffer_len = buffer->nFilledLen; - if (input_use_buffer && temp_buffer->bufferaddr) { + if (input_use_buffer && temp_buffer->bufferaddr && !secure_mode) { if (buffer->nFilledLen <= temp_buffer->buffer_len) { if (arbitrary_bytes) { memcpy (temp_buffer->bufferaddr, (buffer->pBuffer + buffer->nOffset),buffer->nFilledLen); -- cgit v1.2.3